{"id":"MAL-2026-5937","summary":"Malicious code in abuden21 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22)\nThe tarball ships `auto-publish.sh`, which iterates a hardcoded list of ~90 unrelated package names (`imillegal1..N`, `ishowfeet*`, `nottuff*`, `abuden*`, `ratelimitsucks*`) and runs `npm publish --silent` for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in `assets/*.js`. `package.json` has no `preinstall`/`install`/`postinstall` hooks and no `bin`; the declared `main` is a browser service worker (`sw.js`) that calls `importScripts`/`self` and throws immediately under Node, so `npm install abuden21` and `require('abuden21')` perform no code execution against the installer. The bundled `index.html` (and a duplicate inside `logo.svg`) registers click/keydown/touchstart handlers that open `https://abdct.com/` as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.\n","modified":"2026-06-17T00:16:41.789504922Z","published":"2026-06-16T23:43:22Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006860","source":"amazon-inspector","sha256":"4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22","modified_time":"2026-06-16T23:43:22Z","import_time":"2026-06-17T00:00:53.898636484Z","versions":["1.7.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/abuden21/v/1.7.7"}],"affected":[{"package":{"name":"abuden21","ecosystem":"npm","purl":"pkg:npm/abuden21"},"versions":["1.7.7"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"abuden21-1.7.7.tgz","hashes":{"sha512_sri":"sha512-B6dWi9yMIYL9/pDGGecgVnuM8YexzjSAHvvInDS9sryxKqD3QPwMge46yvNjgA3pWomEBM2latzdSIROJUKywg==","sha1":"d8d167b306f248d9722937c64d105b1b044d28d8"}}],"evidence_files":[{"sha256":"eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c","path":"auto-publish.sh","tlsh":"2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090"},{"sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c","path":"index.html","tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden21/MAL-2026-5937.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}